There is an accepted notion in some corners of cybersecurity that maintains “there is no peacetime.” For many of us, that is a daunting premise — as it discounts extensive CISO efforts to extend multi-year investments in cybersecurity tools, innovation, and resources to address ongoing cyberattacks focused on business services transitioned to cloud and SaaS platforms.  

In cloud- and SaaS-based Incident Response, however, there is an acknowledged “peacetime” that equates to the intervals occurring between real-world breach attempts and associated organizational investigations. So many IR vendors are front-and-center in assisting their organizational efforts to identify breach attempts and coordinate efficient investigative response activities, but their customers frequently question the value of their annual subscriptions with their contracted provider between firefights.

Organizations relying on large-scale cloud and SaaS investments should rightfully expect their IR vendor to provide a regular program of readiness activities that will assist security teams’ efforts to make their business better prepared to withstand the next cyberattack. In response to these customer expectations, here’s how IR vendors should respond.

Don’t delay forensic data acquisition and storage

Establishing IR peacetime value should actually begin during customer onboarding, with upfront cloud and SaaS log collection using established connectors into de facto sources like AWS, GCP, Azure, MongoDB, Snowflake, Okta, Salesforce, and Slack. Proactive forensic data acquisition reduces the risk, execution, and downtime associated with standard investigations by enabling cybersecurity teams to commence IR activities immediately after the breach is identified, leveraging securely stored, easily queried forensic data.  

Don’t forget — the longer the data storage provided by the vendor, 1,000 days for example, the more successful your future incident response activities.

Establish a shared-responsibility model during onboarding

In addition to proactive data collection, look for IR solutions focused on establishing a shared-responsibility partnership that enables your organization to maximize your vendor’s IR personnel, technology, data, and recommended practices. This model helps organizations minimize critical incidents and quickly return to business as usual. Relying on the continuity of known IR vendor contacts across both investigations and peacetime activities resolves questions about associated third-party staffing availability and delays that can impede both incident response and building cyber resilience.

Expect incident response readiness programs to enhance organizational cyber resilience

Lessons-learned from recent, successful IR investigations are great – but why should they be limited to in-house activities? IR vendors should apply real-world cloud and SaaS threat analysis activities found “in the wild” or another account across the entire customer base, including yours. Proactive threat hunts dedicated to your organization’s environment should be provided on a regular cadence, quarterly, for example.

In complementing this focus on proactive threats, your organization’s IR resilience should involve vendor-provided Breach and Readiness Assessment programs that identify gaps and provide recommended-practices guidelines on how best to close them.

Leverage vendor automation to improve your cloud and SaaS IR investigation efficiencies

Hands-on expertise in maximizing your forensic data in successful IR investigations is a strong contributor to minimizing disruptions. So, too, is IR automation that reduces the investigative response process.  

Derive more value from your stored forensic data

IR vendors should provide assistance in helping organizations overcome the challenging differences that exist in cloud/SaaS log collection versus an on-premises model by providing recommended-practices aligned with industry standards for forensic investigation, including logging formats, forensic gathering procedures, and default log retention. Customer demands for data lake access and management should apply to the cloud and SaaS forensic baseline, as well — ask IR vendors about their policies for providing direct customer access to collected logs.

LAST UPDATED:

August 19, 2024

Don't miss these stories:

EKS Role Unchaining: Tracing AWS Events Back to Pods for Enhanced Security

Learn two approaches for EKS unchaining that allow teams to associate AWS events with the pods that triggered them.

5 Common Threat Actor Tactics Used in Cloud, Identity, and SaaS Attacks

Explore five common tactics used in cloud attacks and recommendations on how to defend against them.

Tactical Guide to Threat Hunting in Snowflake Environments

It was brought to our attention that a threat actor has been observed using stolen customer credentials to target organizations utilizing Snowflake databases.

Unlocking Cloud Security with Managed Detection and Response

See how Mitiga’s Cloud Managed Detection and Response tackles complex cyber threats with proactive threat management and advanced automation at scale.

Rethinking Crown Jewels Analysis: Mitigating Cybersecurity Bias

Uncover the risks of bias in Crown Jewels Analysis (CJA) and learn strategies to protect your organization's most valuable assets with a comprehensive approach.

Microsoft Breach by Midnight Blizzard (APT29): What Happened?

Understand the Midnight Blizzard Microsoft breach by APT29, what happened, and key steps organizations should take to strengthen their defenses.